PHPDeveloper.orghttp://www.phpdeveloper.org
Up-to-the Minute PHP News, views and communityen-usTue, 03 Mar 2015 13:02:04 -060030http://www.phpdeveloper.org/news/21313http://www.phpdeveloper.org/news/21313
Timoh has published a data encryption cheatsheet to his blog today. It's "a short guide" to help you prevent some of the more common encryption-related problems in your application, specifically around symmetric data encryption.

This cheatsheet assumes a "client-server" situation, which is probably a typical case with PHP applications. Naturally the recommendations given here are not the "only possible way" to handle data encryption in PHP, but this cheatsheet aims to be straightforward and tries to leave less room for mistakes and (possibly confusing) choices.

It's jam-packed full of great information, so definitely check it out if you're doing any kind of encryption in PHP.

Link: https://timoh6.github.io/2014/06/16/PHP-data-encryption-cheatsheet.html]]>Tue, 17 Jun 2014 10:52:44 -0500http://www.phpdeveloper.org/news/21020http://www.phpdeveloper.org/news/21020
In his most recent post Edd Mann shows you how to secure your session in PHP applications via a custom SessionHandler class and a bit of encryption. For those interested in the full code right away, check out this gist over on Github.

Following on from my previous post on Self-signed SSL certificates, I would now like to address the second most common Web application vulnerability (Broken Authentication and Session Management). When delving into the subject I was unable to find a definitive resource for an PHP implementation. Due to this, I set out to combine all the best practice I could find into a single Session handler, to help protect against the common attack vectors. Since PHP 5.4, you are able to set the Session handler based on a class instance that extends the default 'SessionHandler' class.

He walks through the code talking about some of the functionality it offers, how it encrypts the data and integrates expiration and validation (fingerprinting). There's also an interesting set of methods (get and set) to access values in the current session. One thing to note, this example is only for PHP 5.4 and above as it makes use of the newer SessionHandler interface.

Link: http://eddmann.com/posts/securing-sessions-in-php]]>Wed, 09 Apr 2014 12:14:23 -0500http://www.phpdeveloper.org/news/20889http://www.phpdeveloper.org/news/20889
The SitePoint PHP blog has a new post today about the challenges of password hashing and some of the common risks that can come with it. It's a continuation of a previous article about the actual techniques for hashing in PHP.

The fact that the output of a hash function cannot be reverted back to the input using an efficient algorithm does not mean that it cannot be cracked. Databases containing hashes of common words and short strings are usually within our reach with a simple google search. Also, common strings can be easily and quickly brute-forced or cracked with a dictionary attack.

He points to a video demonstrating a method for getting the password data and why just salted hashes aren't a secure method for storing this information. He mentions a "randomness issue" (and PHP's rand function). Instead, he shows an example with openssl_random_pseudo_bytes o pull a chunk of randomized data. He then talks some about password stretching using the PBKDF2 handling in PHP. Finally, he goes past the hashing and gets into encryption, mentioning "password tweaking" as an alternative to generating a single key for every user.

Created a screencast to show how you can create phar files, most importantly personalized phar files to store some information inside it and protect it using user's password. Those information is usable only when user providers a correct password. For packaging, I have used http://box-project.org which is an excellent phar packager. I've also used two functions from Josh Hartman's blog to encrypt and decrypt data using Rijndael algorithm.

You can watch the full screencast over on YouTube. It walks you through the entire process of creating a simple script, using the two functions (mc_encrypt and mc_decrypt) to handle the encryption and defining the Box configuration JSON to create the package.

Link: http://hasin.me/2014/01/14/create-personalized-phar-files-in-php]]>Wed, 15 Jan 2014 09:32:42 -0600http://www.phpdeveloper.org/news/18821http://www.phpdeveloper.org/news/18821
Anthony Ferrara has posted his second video tutorial to his site today introducing encryption for those not familiar with it. (The first video is here, "Paradigm Soup")

Encryption can be a complex beast of mathematical operations. In this video, we explore the evolution of modern cryptography and some of the basic underlying principles that it uses to keep data secure.

You can watch it in-page or head over to YouTube for the larger version. You can also follow his playlist to keep up with his future videos.

]]>Thu, 29 Nov 2012 12:51:01 -0600http://www.phpdeveloper.org/news/18392http://www.phpdeveloper.org/news/18392
Timo has a new post looking at cryptography in PHP and some of the common misconceptions and how that functionality that your framework provides might not be good enough.

Does your framework of choice offer an easy way to perform data encryption? Maybe you have even utilized data encryption in some format. [...] It could not be much easier than that. It is hard to argue. But things won't stay as simple as this if you look at the meaning of "secure data encryption" a little bit closer. Usually people encrypt their data to make sure the data will stay safe. What does this actually mean? Simply put, it means your data stays secret as long as the secret key stays secret. No matter if an active attack is going on and the adversary can read your encrypted data.

He looks at why, by itself, encryption isn't that useful - it's only when its applied. He also covers some of the basic questions to ask when working with things like HMAC hashing and ciphertext malleability. He talks about random number/string generation for IVs, encryption keys and what you can do to help make your encryption more secure in its implementation.

]]>Wed, 22 Aug 2012 12:11:11 -0500http://www.phpdeveloper.org/news/18021http://www.phpdeveloper.org/news/18021
On the Smashing Magazine site today there's a new tutorial showing you how to replace your MySQL encryption methods for AES with their PHP equivalent.

At our company, we process a lot of requests on the leading gift cards and coupons websites in the world. The senior developers had a meeting in late October to discuss working on a solution to replicate the MySQL functions of AES_ENCRYPT and AES_DECRYPT in the language of PHP. This article centers on what was produced by senior developer Derek Woods and how to use it in your own applications.

He starts with a little bit of backstory - why to even bother using encryption, what AES encryption is and why you should probably avoid using the MySQL implementation of it in your apps. PHP's mcrypt functions don't return the same hashes as their MySQL counterparts (he includes the "why" of this) and includes some quick code to replicate the MySQL behavior. He also mentions some issues with the transformation, newlines and shows the source for their completed "aes_crypt" and "aes_decrypt" functions.

]]>Wed, 30 May 2012 08:43:04 -0500http://www.phpdeveloper.org/news/17832http://www.phpdeveloper.org/news/17832
In this new post to his blog Anthony Ferrara looks at a common idea that comes up when the discussion of encryption of passwords in PHP - the global salt (or "pepper").

The other day I announced the release of my new password hashing library, PasswordLib. As I've come to expect, Reddit was full of interesting commentary on the topic. Some was good, some was bad and some surprised me. What surprised me was the insistence on a global salt (otherwise known as a "pepper"). So, I started thinking about it some more, and I figured I'd write a post on why I don't use peppers in my hashing algorithms (and why you may want to rethink it too).

He starts with an explanation of what a salt is (and isn't) to lead naturally into the idea of a "pepper", a single unique value that's used across an entire site/application for password encryption. He covers four flaws inherent with this method:

There's no proof that using them increases your security.

There are no publicly vetted hashing algorithms that accept a pepper as an argument.

Using a block cipher instead of a pepper provides a stronger level of encryption and protection.

The entire concept of a pepper is based around a flawed premise. [...] The flaw in that premise is that it's often not just your database that's leaked.

]]>Wed, 18 Apr 2012 09:23:31 -0500http://www.phpdeveloper.org/news/17427http://www.phpdeveloper.org/news/17427
Michael Nitschinger has a new post for the Lithium framework users out there - a quick tutorial about encrypting your session information with the new built in "Encrypt" strategy feature.

If you check out the master branch, you can use the new Encrypt strategy to encrypt your session data automatically. This means that you can read and write session data in cleartext and they will be encrypted on the fly before getting stored (in a cookie, for example).

You'll need the mcrypt extension installed for it to work correctly, but it makes storing the encrypted version of your data more or less automatic. Just set up your Session configuration to use it as a strategy and any time you call a "read" or "write" the hard work is handled for you. For those more interests in what's "under the hood" he goes on to talk about how the strategy works, what cipher it uses by default, how to change it and the default string to use in hashing.

]]>Fri, 20 Jan 2012 12:09:08 -0600http://www.phpdeveloper.org/news/14475http://www.phpdeveloper.org/news/14475
On WebReference.om today Leidago Noabeb has kicked off a series with part one of his look at encryption in PHP applications and how it can keen you from ending up like him.

Recently, an attacker hacked into my database and stole all the passwords and usernames stored there. Needless to say, I had to change everything and it cost me time and money. What made the crime easy for the attacker is that I never encrypted any of the passwords in the database. I've learned my lesson and now I'm passing along that wisdom with this article about encryption in PHP. Using some of the encryption techniques that PHP offers, you can safeguard your information in various ways.

He lays the foundation for the series by talking about three different kinds of encryption that can help you protect your data - one-way encryption, symmetric (using a key) and asymmetric (shared key locking).